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IN THE CLAIMS: 

1 . (Currently Amended) A method of proving membership in a nested group, wherein a 
presenter of credentials that requests one or more resources to which access is so controlled 
by a recipient of credentials [[so]] as to make them available to members of the nested group 
presents to the recipient of credentials one or more chains of group credentials that prove 
the presenter's membership in the nested group. 

2. (Original) The method of claim 1, wherein one of said chains of group credentials 
comprise one or more proofs of group membership. 

3. (Original) The method of claim 2, wherein said proofs of group membership comprise 
one or more group membership certificates. 

4. (Original) The method of claim 2, wherein said proofs of group membership comprise 
one or more group membership lists. 

5. (Original) The method of claim 1, wherein one of said chains of group credentials 
comprise one or more proofs of group non-membership. 

6. (Original) The method of claim 5, wherein said proofs of group non-membership 
comprise one or more group non-membership certificates. 

7. (Original) The method of claim 5, wherein said proofs of group non-membership 
comprise one or more group membership lists. 

8. (Original) The method of claim 1 , wherein said recipient is a resource server. 

9. (Original) The method of claim 1, wherein said recipient is an on-line group server. 

10. (Original) The method of claim 1, wherein said recipient is an on-line revocation server. 

1 1 . (Original) The method of claim 1 , wherein said recipient is a client. 
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1 12. (Currently Amended) A method of proving non-membership in a nested group, 

2 wherein a presenter of credentials that requests one or more resources to which access is so 

3 controlled by a recipient of credentials [[so]] as to make them available to non-members of 

4 the nested group presents to the recipient of credentials one or more chains of group 

5 credentials that prove the presenter's non-membership in the nested group. 

1 13. (Original) The method of claim 12, wherein one of said chains of group credentials 

2 comprise one or more proofs of group membership. 

1 14. (Original) The method of claim 13, wherein said proofs of group membership comprise 

2 one or more group membership certificates. 

1 15. (Original) The method of claim 13, wherein said proofs of group membership comprise 

2 one or more group membership lists. 

1 16. (Original) The method of claim 12, wherein one of said chains of group credentials 

2 comprise one or more proofs of group non-membership. 

1 17. (Original) The method of claim 16, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 18. (Original) The method of claim 16, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

i 19. (Original) The method of claim 12, wherein said recipient is a resource server. 

i 20. (Original) The method of claim 12, wherein said recipient is an on-line group server. 

1 21. (Original) The method of claim 12, wherein said recipient is an on-line revocation 

2 server. 

i 22. (Original) The method of claim 12, wherein said recipient is a client. 
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1 23. (Currently Amended) A computer system wherein a presenter of credentials that 

2 requests one or more resources to which access is so controlled by a recipient of credentials 

3 [[so]] as to make them available to members of a nested group presents to the recipient of 

4 credentials one or more chains of group credentials to prove the presenter's membership 

5 in the nested group. 

1 24. (Original) The system of claim 23, wherein one of said chains of group credentials 

2 comprise one or more proofs of group membership. 

1 25. (Original) The system of claim 24, wherein said proofs of group membership comprise 

2 one or more group membership certificates. 

1 26. (Original) The system of claim 24, wherein said proofs of group membership comprise 

2 one or more group membership lists. 

1 27. (Original) The system of claim 23, wherein one of said chains of group credentials 

2 comprise one or more proofs of group non-membership. 

1 28. (Original) The system of claim 27, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 29. (Original) The system of claim 27, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

i 30 (Original) The system of claim 23, wherein said recipient is a resource server. 

i 31 (Original) The system of claim 23, wherein said recipient is an online group server. 

1 32. (Original) The system of claim 23, wherein said recipient is an on-line revocation 

2 server. 

l 33. (Original) The system of claim 23, wherein said recipient is a client. 
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1 34. (Currently Amended) A computer system wherein a presenter of credentials that 

2 requests one or more resources to which access is so controlled by a recipient of credentials 

3 [[so]] as to make them available to non-members of a nested group presents to the recipient 

4 of credentials one or more chains of group credentials to prove the presenter's non- 

5 membership in the nested group. 

1 35. (Original) The system of claim 34, wherein one of said chains of group credentials 

2 comprise one or more proofs of group membership. 

1 36. (Original) The system of claim 35, wherein said proofs of group membership comprise 

2 one or more group membership certificates. 

1 37. (Original) The system of claim 35, wherein said proofs of group membership comprise 

2 one or more group membership lists. 

1 38. (Original) The system of claim 34, wherein one of said chains of group credentials 

2 comprise one or more proofs of group non-membership. 

1 39. (Original) The system of claim 38, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 40. (Original) The system of claim 38, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

i 41. (Original) The system of claim 34, wherein said recipient is a resource server. 

l 42. (Original) The system of claim 34, wherein said recipient is an on-line group server. 

1 43. (Original) The system of claim 34, wherein said recipient is an on-line revocation 

2 server. 

i 44. (Original) The system of claim 34, wherein said recipient is a client. 
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1 45. (Currently Amended) A method of requesting one or more resources from a server 

2 on a computer network, in which access to said resources is so controlled by said server 

3 [[so]] as to make them available to members of a nested group, the method comprising: 

4 A. obtaining one or more chains of group credentials that prove membership in 

5 the nested group, and 

6 B. transmitting to the server a request for one or more of the one or more 

7 resources, said request including the one or more chains of group credentials that prove 

8 membership in the nested group. 

1 46. (Original) The method of claim 45, wherein one of said chains of group credentials 

2 comprise one or more proofs of group membership. 

1 47. (Original) The method of claim 46, wherein said proofs of group membership comprise 

2 one or more group membership certificates. 

1 48. (Original) The method of claim 46, wherein said proofs of group membership comprise 

2 one or more group membership lists. 

1 49. (Original) The method of claim 45, wherein one of said chains of group credentials 

2 comprise one or more proofs of group non-membership. 

1 50. (Original) The method of claim 49, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 51. (Original) The method of claim 49, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 52. (Currently Amended) A method of requesting one or more resources from a server 

2 on a computer network, in which access to said resources is so controlled by said server 

3 [[so]] as to make them available to non-members of a nested group, the method 

4 comprising: 
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5 A. obtaining one or more chains of group credentials that prove non- 

6 membership in the nested group, and 

7 B. transmitting to the server a request for one or more of the one or more 

8 resources, said request including the one or more chains of group credentials that prove 

9 non-membership in the nested group. 

1 53. (Original) The method of claim 52, wherein one of said chains of group credentials 

2 comprise one or more proofs of group membership. 

1 54. (Original) The method of claim 53, wherein said proofs of group membership comprise 

2 one or more group membership certificates. 

1 55. (Original) The method of claim 53, wherein said proofs of group membership comprise 

2 one or more group membership lists. 

1 56. (Original) The method of claim 52, wherein one of said chains of group credentials 

2 comprise one or more proofs of group non-membership. 

1 57. (Original) The method of claim 56, wherein said proofs of group non-membership 

2 comprise one or more group non-membership certificates. 

1 58. (Original) The method of claim 56, wherein said proofs of group non-membership 

2 comprise one or more group membership lists. 

1 59. (Currently Amended) A client device on a computer network, said client device 

2 configured for requesting one or more resources from a server on the network, in which 

3 access to said resources is so controlled by said server [[so]] as to make them available to 

4 members of a nested group, said client device comprising: 

5 A. means for obtaining one or more chains of group credentials that prove client 

6 membership in the nested group, and 
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B. means for transmitting to the server a request for one or more of the one or 
more resources, said request including the one or more chains of group credentials that 
prove client membership in the nested group. 

60. (Original) The client device of claim 59, wherein one of said chains of group credentials 
comprise one or more proofs of group membership. 

61. (Original) The client device of claim 60, wherein said proofs of group membership 
comprise one or more group membership certificates. 

62. (Original) The client device of claim 60, wherein said proofs of group membership 
comprise one or more group membership lists. 

63. (Original) The client device of claim 59, wherein one of said chains of group credentials 
comprise one or more proofs of group non-membership. 

64. (Original) The client device of claim 63, wherein said proofs of group nonmembership 
comprise one or more group non-membership certificates. 

65. (Original) The client device of claim 63, wherein said proofs of group non- 
membership comprise one or more group membership lists. 

66. (Currently Amended) A client device on a computer network, said client device 
configured for requesting one or more resources from a server on the network, in which 
access to said resources is so controlled by said server [[so]] as to make them available to 
non-members of a nested group, said client device comprising: 

A. means for obtaining one or more chains of group credentials that prove client 
non-membership in the nested group, and 

B. means for transmitting to the server a request for one or more of the one or 
more resources, said request including the one or more chains of group credentials that 
prove client non-membership in the nested group. 
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1 67. (Original) The client device of claim 66, wherein one of said chains of group credentials 

2 comprise one or more proofs of group membership. 

1 68. (Original) The client device of claim 67, wherein said proofs of group membership 

2 comprise one or more group membership certificates. 

1 69. (Original) The client device of claim 67, wherein said proofs of group membership 

2 comprise one or more group membership lists. 

1 70. (Original) The client device of claim 66, wherein one of said chains of group credentials 

2 comprise one or more proofs of group non-membership. 

1 71 . (Original) The client device of claim 70, wherein said proofs of group nonmembership 

2 comprise one or more group non-membership certificates. 

1 72. (Original) The client device of claim 70, wherein said proofs of group non- 

2 membership comprise one or more group membership lists. 

1 73. (Previously Presented) A method for operating a resource server on a computer 

2 network, said resource server configured to control access to one or more resources and 

3 provide access thereto to members of a nested group, the method comprising: 

4 A. receiving a resource-access request from a client, said request including one 

5 or more chains of group credentials proving client membership in the nested group, 

6 B. validating the one or more chains of group credentials, and 

7 C. if the one or more chains of group credentials are determined to be valid, 

8 providing the requested access to the client. 

1 74. (Original) The method of claim 73, wherein one of said chains of group credentials 

2 comprise one or more proofs of group membership. 

1 75. (Original) The method of claim 74, wherein said proofs of group membership comprise 

2 one or more group membership certificates. 



9 



PATENTS 

Attorney Docket No. SMY-013.01 

P3686 

76. (Original) The method of claim 74, wherein said proofs of group membership comprise 
one or more group membership lists. 

77. (Original) The method of claim 73, wherein one of said chains of group credentials 
comprise one or more proofs of group non-membership. 

78. (Original) The method of claim 77, wherein said proofs of group non-membership 
comprise one or more group non-membership certificates. 

79. (Original) The method of claim 77, wherein said proofs of group non-membership 
comprise one or more group membership lists. 

80. (Previously Presented) A method for operating a resource server on a computer 
network, said resource server configured to control access to one or more resources and 
provide access thereto to non-members of a nested group, the method comprising: 

A. receiving a resource-access request from a client, said request including one 
or more chains of group credentials proving client non-membership in the nested group, 

B. validating the one or more chains of group credentials, and 

C. if the one or more chains of group credentials are determined to be valid, 
providing the requested access to the client. 

81. (Original) The method of claim 80, wherein one of said chains of group credentials 
comprise one or more proofs of group membership. 

82. (Original) The method of claim 81 , wherein said proofs of group membership comprise 
one or more group membership certificates. 

83. (Original) The method of claim 81 , wherein said proofs of group membership comprise 
one or more group membership lists. 

84. (Original) The method of claim 80, wherein one of said chains of group credentials 
comprise one or more proofs of group non-membership. 
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85. (Original) The method of claim 84, wherein said proofs of group non-membership 
comprise one or more group non-membership certificates. 

86. (Original) The method of claim 84, wherein said proofs of group non-membership 
comprise one or more group membership lists. 

87. (Previously Presented) A method for operating a resource server on a computer 
network, said resource server configured to control access to one or more resources and 
provide access thereto to members of a nested group, the method comprising: 

A. means for receiving a resource-access request from a client, said request 
including one or more chains of group credentials proving client membership in the 
nested group, 

B. means for validating the one or more chains of group credentials, and 

C. means for providing the requested access to the client if the one or more 
chains of group credentials are determined to be valid. 

88. (Original) The resource server of claim 87, wherein one of said chains of group 
credentials comprise one or more proofs of group membership. 

89. (Original) The resource server of claim 88, wherein said proofs of group membership 
comprise one or more group membership certificates. 

90. (Original) The resource server of claim 88, wherein said proofs of group membership 
comprise one or more group membership lists. 

91. (Original) The resource server of claim 87, wherein one of said chains of group 
credentials comprise one or more proofs of group non-membership. 

92. (Original) The resource server of claim 91, wherein said proofs of group non- 
membership comprise one or more group non-membership certificates. 
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93. (Original) The resource server of claim 91, wherein said proofs of group non- 
membership comprise one or more group membership lists. 

94. (Previously Presented) A method for operating a resource server on a computer 
network, said resource server configured to control access to one or more resources and 
provide access thereto to non-members of a nested group, the method comprising: 

A. means for receiving a resource-access request from a client, said request 
including one or more chains of group credentials proving client non-membership in the 
nested group, 

B. means for validating the one or more chains of group credentials, and 

C. means for providing the requested access to the client if the one or more 
chains of group credentials are determined to be valid. 

95. (Original) The resource server of claim 94, wherein one of said chains of group 
credentials comprise one or more proofs of group membership. 

96. (Original) The resource server of claim 95, wherein said proofs of group membership 
comprise one or more group membership certificates. 

97. (Original) The resource server of claim 95, wherein said proofs of group membership 
comprise one or more group membership lists. 

98. (Original) The resource server of claim 94, wherein one of said chains of group 
credentials comprise one or more proofs of group non-membership. 

99. (Original) The resource server of claim 98, wherein said proofs of group non- 
membership comprise one or more group non-membership certificates. 

100. (Original) The resource server of claim 98, wherein said proofs of group non- 
membership comprise one or more group membership lists. 
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101. (Currently Amended) A computer data signal embodied in a carrier wave and 
representing a sequence of instructions that, when executed by a processor in a network 
device requesting one or more resources from a server, in which access to said resources 
is so controlled by said server [[so]] as to make them available to members of a nested 
group, configures the network device to operate as a client device that: 

A. obtains one or more chains of group credentials that prove client membership 
in the nested group, and 

B. transmits to the server a request for one or more of the one or more resources, 
said request including the one or more chains of group credentials that prove membership 
in the nested group. 

102. (Original) The computer data signal of claim 101, wherein one of said chains of 
group credentials comprise one or more proofs of group membership. 

103. (Original) The computer data signal of claim 102, wherein said proofs of group 
membership comprise one or more group membership certificates. 

104. (Original) The computer data signal of claim 102, wherein said proofs of group 
membership comprise one or more group membership lists. 

105. (Original) The computer data signal of claim 101, wherein one of said chains of 
group credentials comprise one or more proofs of group non-membership. 

106. (Original) The computer data signal of claim 105, wherein said proofs of group non- 
membership comprise one or more group non-membership certificates. 

107. (Original) The computer data signal of claim 105, wherein said proofs of group 
non-membership comprise one or more group membership lists. 

108. (Currently Amended) A computer data signal embodied in a carrier wave and 
representing a sequence of instructions that, when executed by a processor in a network 
device requesting one or more resources from a server, in which access to said resources 
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is so controlled by said server [[so]] as to make them available to non-members of a 
nested group, configures the network device to operate as a client device that: 

A. obtains one or more chains of group credentials that prove client non- 
membership in the nested group, and 

B. transmits to the server a request for one or more of the one or more resources, 
said request including the one or more chains of group credentials that prove non- 
membership in the nested group. 

109. (Original) The computer data signal of claim 108, wherein one of said chains of group 
credentials comprise one or more proofs of group membership. 

1 10. (Original) The computer data signal of claim 109, wherein said proofs of group 
membership comprise one or more group membership certificates. 

111. (Original) The computer data signal of claim 109, wherein said proofs of group 
membership comprise one or more group membership lists. 

112. (Original) The computer data signal of claim 108, wherein one of said chains of group 
credentials comprise one or more proofs of group non-membership. 

113. (Original) The computer data signal of claim 112, wherein said proofs of group non- 
membership comprise one or more group non-membership certificates. 

1 14. (Original) The computer data signal of claim 1 12, wherein said proofs of group 
non-membership comprise one or more group membership lists. 

115. (Previously Presented) A computer data signal embodied in a carrier wave and 
representing a sequence of instructions that, when executed by a processor in a network 
device configured to control access to one or more resources and provide access thereto 
to members of a nested group, configures the network device to operate as a resource 
server that: 
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A. receives a resource-access request from a client, said request including one or 
more chains of group credentials proving client membership in the nested group, 

B. validates the one or more chains of group credentials, and 

C. if the one or more chains of group credentials are determined to be valid, 
provides the requested access to the client. 

116. (Original) The computer data signal of claim 115, wherein one of said chains of group 
credentials comprise one or more proofs of group membership. 

117. (Original) The computer data signal of claim 116, wherein said proofs of group 
membership comprise one or more group membership certificates. 

118. (Original) The computer data signal of claim 116, wherein said proofs of group 
membership comprise one or more group membership lists. 

119. (Original) The computer data signal of claim 115, wherein one of said chains of group 
credentials comprise one or more proofs of group non-membership. 

120. (Original) The computer data signal of claim 119, wherein said proofs of group non- 
membership comprise one or more group non-membership certificates. 

121. (Original) The computer data signal of claim 119, wherein said proofs of group 
non-membership comprise one or more group membership lists. 

122. (Previously Presented) A computer data signal embodied in a carrier wave and 
representing a sequence of instructions that, when executed by a processor in a network 
device configured to control access to one or more resources and provide access thereto 
to non-members of a nested group, configures the network device to operate as a resource 
server that: 

A. receives a resource-access request from a client, said request including one or 
more chains of group credentials proving client non-membership in the nested group, 

B. validates the one or more chains of group credentials, and 
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C. if the one or more chains of group credentials are determined to be valid, 
provides the requested access to the client. 

123. (Original) The computer data signal of claim 122, wherein one of said chains of group 
credentials comprise one or more proofs of group membership. 

124. (Original) The computer data signal of claim 123, wherein said proofs of group 
membership comprise one or more group membership certificates. 

125. (Original) The computer data signal of claim 123, wherein said proofs of group 
membership comprise one or more group membership lists. 

126. (Original) The computer data signal of claim 122, wherein one of said chains of group 
credentials comprise one or more proofs of group non-membership. 

127. (Original) The computer data signal of claim 126, wherein said proofs of group non- 
membership comprise one or more group non-membership certificates. 

128. (Original) The computer data signal of claim 126, wherein said proofs of group 
non-membership comprise one or more group membership lists. 
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